One of my servers has been infected by this cryptojacking malware (reporting to the very same IP than in the article).
It seems known for this malware to propagate through some Confluence vulnerabilities, however my server doesn't run Confluence, and the process was actually owned by root
, so the entry point is different.
Is this malware already associated to other software vulnerabilities ? (I couldn't find any.) Are there guidelines to find what could have been the entry point ? Should I report this issue anywhere else ?
The script attempts to create a
cloud_agent.service
service under/etc/systemd/system/
. The last modification of this file dates June 15th, 22:03, and the file is owned byroot:Debian-exim
, which indicates that the entry point was Exim.The Exim logs show an attempt to exploit a recently identified Exim vulnerability at the very same date and hour, and the code injection resolves to the very same IP.
So this malware was definitely installed through this Exim vulnerability.